Outline. (Old) Java Security. What is Java? Java Modes of Use. Java Virtual Machine (VM) and Class File Format. Java Language
|
|
- Domenic Logan
- 6 years ago
- Views:
Transcription
1 Outline (Old) Java Security Adapted from presentation by David A. Wheeler Java Basics What is Java, Modes of Use, major components, implications, implementations, politics Security-related capabilities (JDK 1.0, 1.1, 1.2 ) Selected subsequent developments Miscellaneous Past breaches, malicious applets, advantages & disadvantages, key points 2 What is Java? Java Technologies: Java language Virtual machine (VM)/class file format Libraries Can use only VM or language Developed by Sun Cross-Platform (WORA) Libraries Source code Compiler Class files Virtual Machine User Developer Java Modes of Use Applets: Auto-run when view web page Applications: Traditional program (performance?) Beans: Component Servlets: Server-side applications Aglets: Intelligent Agents Doclets: Configurable doc generator Embedded Systems Smart Cards ( JavaCard ) 3 4 Java Language Modern object-oriented (OO) language OO with single inheritance + multiple interfaces Classes grouped into hierarchical packages Strong static typing (no arbitrary pointers) Automatic garbage collection Exceptions Multithreaded Lacks enumeration and templates (generics) Syntax ~C++, semantics ~Ada95/Smalltalk Java Virtual Machine (VM) and Class File Format Class file defines names/types/values of class variables, constants, methods Methods stored as instructions to stack-based VM VM executes class files (inc. collections of them) By interpretation, run-time compilation, or combination; performance is a significant issue Before execution, VM usually runs byte-code verifier to check legality of class file 5 6 1
2 Java Libraries Set of built-in APIs, including: GUIs Networking Computation Growth area Several classes are security-related This presentation will skim ordinary crypto functions such as ones for encryption/decryption, certificate management, etc., since they are not essentially unique Class and Method Access Control Modifiers Access Control Modifier Class or Interface Accessibility Member (Field or Method) Accessibility Public All All if class or interface is accessible; interface members always public Protected N/A Same package OR subclass default Same package Same package (Package private) Private N/A Only same class (not subclass) 7 8 Implications of Java Basics No arbitrary pointers: references ~ capabilities Only creator & createe have reference for new object If objectset doesn t pass a reference, you can t manipulate that object Can only manipulate objects in limited ways If data private, can only manipulate via methods Methods can be used to protect data Constructor method can limit who can create an object Notes on Java Implementations Java is the general technology Multiple Java Implementations Sun, Microsoft (derived), Kaffe, We emphasizes Sun s implementations Sun essentially controls the interface and reference implementation 9 10 Java: Caught in Political Cross-fire Microsoft Intentionally polluted with incompatible unmarked extensions to fool developers into un-portable code Sun sued & won court injunction partly forbidding this Sun Promised to support standardization (they have before) Customers trusted Sun & committed major resources Sun flirted with ISO, then halted cooperation Greatly angered users: Sun lied Linux port taken without warning or acknowledgement Suddenly charged royalties on enterprise edition, even to those who had partially funded its development Java: Recent Political Situation Sun controls spec & primary implementation Community license means Sun controls everything Java is essentially Sun proprietary language/technology Disincentive for other organizations IBM, etc., don t want to depend on a competitor Sole-source dangerous: surprise fees, nasty changes User best interests not in Sun/Microsoft interests To avoid total dependence on a capricious vendor: Consider open source, Linux, standardized languages
3 Security-Related Capabilities (1 of 2) JDK 1.0 (Fall 1995) Policy: Sandbox for applets; others unlimited Mechanisms: SecurityManager, Bytecode verifier, Classloader JDK 1.1 (Spring 1997) Policy: can also grant total trust to signed applets Mechanisms: Java Archive (JAR), crypto-related APIs Inflexible: Too little or too much privilege Security-Related Capabilities (2 of 2) Netscape & Microsoft Extensions Enabled more flexible approaches Incompatible with each other and with Sun J2SE (Java 2 Platform Standard Edition) (Fall 1998) Includes SDK 1.2 and runtime Policy: can also grant fine-grained privileges to specific applets/classes based on source and/or signatures Mechanisms: AccessController, ProtectionDomain, CodeSource, Permission, GuardedObject, Java Plug-in supports both Microsoft & Netscape Java 1.0 Security Policy Sandbox Policy (for applets) Cannot access local filesystem or devices Network connections only to applet load source Cannot invoke any local program or library Untrusted indicator on top-level windows Cannot manipulate basic classes or another ThreadGroup Appletviewer CL can be initialized to vary these Applications unlimited in 1.0; can code a policy SecurityManager Class defines check methods called by system E.G. checkread(string filename) Method throws exception if invalid To create a security policy from scratch: Create a subclass (code) & instantiate Install using System.setSecurityManager; this cannot be revoked or replaced This is used to create the Sandbox If no SecurityManager installed, all privileges granted Bytecode Verifier Checks a classfile for validity: Code only has valid instructions & register use Code does not overflow/underflow stack Does not convert data types illegally or forge pointers Accesses objects as correct type Method calls use correct number & types of arguments References to other classes use legal names Goal is to prevent access to underlying machine via forged pointers, crashes, undefined states ClassLoader Responsible for loading classes given classname, locates/generates its definition always looks at standard classes first every class has a reference to the classloader instance that defined it keeps namespaces of different applets separate (different ClassLoader instances) each ClassLoader instance ~ OS process CLASSPATH classes trusted in JDK , system classes trusted, otherwise invokes bytecode verifier
4 Java Archive (JAR) Format (1.1) Format for collecting & optionally signing sets of files ZIP format + manifest + optional signatures Manifest In file META-INF/MANIFEST.MF Lists (some) JAR filenames, digests, digest algorithm(s) (MD5, SHA) Signatures Separate manifest-like file, separate signature Java Cryptography Architecture (Added in 1.1) Java cryptography architecture (JCA) Framework (API) for access to services implemented by pluggable providers digital signature algorithms (DSA), message digest algorithms (MD5 & SHA-1), key-generation algorithms, simple certificate management (1.1 had no API for specific formats) Simple key management tool (simple database ) Problems with 1.0 through 1.1 Sandbox too limiting Trusted programs given too much power Hard to define new security policy Must write own SecurityManager Must install it on own JVM New privileges difficult to add New method must be added to SecurityManager Creates a backward incompatibility for each addition Security-Related Capabilities in Java 2 (SDK 1.2) Fine-grained configurable policies Sample Security Policy Runtime State: ProtectionDomain/CodeSource/Policy Java 2 Runtime Security Check Algorithm Permission & Its Subclasses SecurityManager & AccessController GuardedObject & Guard Java Cryptography Architecture (JCA) changes Java Cryptography Extension (JCE) Sample Fine-Grained Security Policy for One User Java 2: Each Class Has A ProtectionDomain Source of Code (CodeSource) Base URL Signature classes/stockeditor.jar Schwab s signature Permissions Read/write file /home/daw/stocks ProtectionDomain1 PermissionCollection CodeSource ProtectionDomain2 PermissionCollection CodeSource (not required) Connect/accept bankofamerica.com ports Read file /home/daw/logo.png Instance1 Class1... Class Asks ClassLoader1 Policy Instance
5 ProtectionDomain Class ProtectionDomain class Created from a CodeSource and a PermissionCollection Defines the set of permissions granted to classes; change the PermissionCollection to change permissions Each class belongs to ONE ProtectionDomain instance, set at class creation time (and never changed again) Access to these objects restricted; getting its reference requires RuntimePermission getprotectiondomain One ClassLoader can have >1 protection domain CodeSource Class Created from: a source (base) URL and array of certificates Immutable implies method implements URL partial matches Permits policies to use URL patterns Policy Class Provides interface to user policy Given a CodeSource, returns a PermissionCollection Used during setup of ProtectionDomain to set a class permissions How a Class and ProtectionDomain Are Loaded 1. Loaded class C1 requests an unloaded class C2 2. C1 s ClassLoader called, loads C2 s class file, calls bytecode verifier 3. C2 s CodeSource determined 4. Policy object given CodeSource, returns Permissions 5. If an existing ProtectionDomain has same CodeSource & Permissions, reused, else new ProtectionDomain created; C2 assigned to it Java 2 Runtime Security Check Algorithm If method M requires permission P M s implementation calls current SecurityManager s checkpermission(p) By default this calls new AccessController class For each call stack entry, unwind from caller: if caller s ProtectionDomain lacks P, exception (fail) if caller called doprivileged without context, return if caller called doprivileged with context, check it: return if context permits P, else exception (fail). Examples of Algorithm At Work Multiple ProtectionDomains: Instance1 M1 calls Instance2 M2 calls System1 M3 System1 M3 (in System s ProtectionDomain) asks for a permission check Permissions checked against the ProtectionDomains for System1, then Class2, then Class1 doprivileged call (without context): Same example, but first System1 M3 calls doprivileged When permission check requested, ProtectionDomain for System1 checked and no others checked
6 Context getcontext() takes a snapshot of current execution context ( stack trace ) snapshot includes ancestor threads stored in type AccessControlContext results can be stored & can used later to limit privileges (instead of enabling all privileges) Purpose: support actions on behalf of another one thread posts event to another delayed actions Algorithm Implications Default privileges are the intersection (minimum) of all class permissions in call tree Without doprivilege, permissions only decrease doprivilege enables all class privileges Like Unix setuid ; enables trusted classes to use their full set of privileges but only when requested Without context enables all privileges With context enables only those privileges also in given context; safe because resulting privileges always less than without context Warning: Don t Mix Protected Variables and Permission Checks If a method M1 is not overridden, the ProtectionDomain of its defining superclass used Methods running (even indirectly) with privilege shouldn t depend on protected variables Attacker creates subclass with new method M2 M2 modifies protected variable used by M1 Cause M1 to be invoked; M1 influenced by M2! Identified by David A. Wheeler Oct 1999 Permission Class Permission class Encapsulates a permission granted or requested Can be set read-only (from then on immutable) Can be grouped using classes PermissionCollection and Permissions Permission Subclasses: FilePermission Class Gives rights to local files/directories Path name/pattern Specific path: file, directory, directory/file All files in directory: directory/* All files recursively in directory: directory/- For current directory, omit directory/ For all files (dangerous), <<ALL FILES>> Rights set (1+): read, write, execute, delete Permission Subclasses: SocketPermission Host Local machine:, localhost Given machine: IP address or hostname All hosts in a domain: *.domain All hosts: * Portrange Single port: portnumber Port range: port1-port2, port1-, -port2 Actions (1+): accept, connect, listen, resolve
7 Permission Subclasses: PropertyPermission Gives rights to properties Similar to OS environment variables Target Specific property: os.name Pattern: java.* Actions (1+): read, write Permission Subclasses: Other Permission Subclasses RunTimePermission: string with permission name createclassloader getclassloader setsecuritymanager exitvm... Many other specialized Permission subclasses AllPermission special class meaning all permissions SecurityManager Changes New method checkpermission(p) Throws exception if permission P not held, else returns All previous check methods rewritten in terms of checkpermission Permits creation of new Permissions without changing SecurityManager By default, calls on AccessController class AccessController implements the new algorithm 39 GuardedObject (1 of 3) To protect one method in all instances, use SecurityManager directly as seen so far To protect a reference to an individual instance, consider using GuardedObject : requesting class getobject() 3 1 reply with object-toguard GuardedObject 2 checkguard() Guard object-to-guard 40 GuardedObject (2 of 3) GuardedObject class encapsulates object-toguard asks Guard interface to determine if access ok Permission implements Guard by calling SecurityManager. checkpermission(self) PermissionCollection doesn t implement Provider of object-to-guard does the following: Instantiates new Guard (e.g., a Permission) Instantiates GuardedObject, using object-to-guard and the guard Gives GuardedObject s reference to requestors GuardedObject (3 of 3) Clients who wish to use object-to-guard call GuardedObject s getobject() GuardedObject instance calls its Guard s checkguard() if ok, object-to-guard s reference returned if not ok, security exception thrown
8 Java Cryptography Architecture (JCA) Changes in 1.2 Adds more APIs that providers can support Keystore creation and management Algorithm parameter management Algorithm parameter generation Conversions between different key representations Certificate factory support to generate certificates and certificate revocation lists (CRLs) from their encodings (Sun implements X.509 s) Random-number generation (RNG) algorithm Java Cryptography Extension (JCE) Adds encryption, key exchange, key generation, message authentication code (MAC) Multiple providers supported Keys & certificates in keystore database Separate due to export control Other Areas In Development: JSSE and JAAS Java Secure Socket Extension Implements SSL Java Authentication and Authorization Service Based on PAM: pluggable authenticators for passwords, smart cards, biometric devices, etc. Authenticators may be required, requisite (stop on failure), sufficient (but not required), or optional Adds user-centric (vs. code-centric) control: permissions granted to Principal (not just CodeSource), implemented through a modified SecurityManager Past Java Security Breaches (1 of 2) 8 Serious Breaches listed in Java Security (1997) Jumping the Firewall (DNS interaction) Slash and Burn (slash starts classname) Applets running wild (evil class loader installed and creates type confusion) Casting Caution (failed to test if method private, type casting) Tag-Team Applets (create type confusion) Past Java Security Breaches (2 of 2) You re not my type (flaw in array implementation - type confusion) Casting Caution #2 (as before, but in a loop test wasn t repeated) Big Attacks Come in Small Packages (untrusted code could be loaded into sensitive packages, e.g. com.ms, and gain their privileges) Others have been announced since See Many are problems in bytecode verifier or classloader Malicious Applets (Staying Within the Sandbox) Denial of Service Deny platform use (busy threads, loop, exhaust GUI resources) Kill other threads Invasion of Privacy Annoyance: constant sound Flashing display (causes seizures in some users) Steal CPU cycles (e.g. crack encryption)
9 Java Advantages Permits controlled execution of less trusted code (vs. ActiveX) Permits fine-grained permission control Attention paid to security Portability Instant installation Sun s source reviewable (not open source) Java Security Disadvantages (1 of 3) Hard to prove correct complex from security point-of-view rapidly expanding/changing VM+libraries lacks formal security model Many internal interdependencies (vs. reference monitors); often breaks all the way Complex dependencies on other systems OS, browsers, network (DNS), PKI Java Security Disadvantages (2 of 3) Applets evade many security measures (e.g. most firewalls) Breaches demonstrated No standardized auditing (MS extension) Simplifies reverse engineering of code (problem?) Poor performance may encourage security-weakening shortcuts Java Security Disadvantages (3 of 3) Weak against denial-of-service & nuisances Insecure implementation defaults (e.g. null ClassLoader or SecurityManager) Security policy management too complex for end-users and weak administrative support Flexible policies accepted by users may permit hidden breaching interactions Key Points Progression of Access Control Flexibility JDK 1.0: Sandbox + total trust of local applications JDK 1.1: Above + optional total trust with signature SDK 1.2: Above + Fine-grained access control Java 2 ProtectionDomains Checks call tree, by default intersection of permissions doprivilege permits permissions to be re-enabled GuardedObject to protect specific objects Useful References Li Gong, Inside Java 2 Platform Security, 1999, Palo Alto, CA: Addison-Wesley. G. McGraw & E. Felten, Java Security: Hostile Applets, Holes, and Antidotes, 1997, NY: John Wiley & Sons. G. McGraw & E. Felten, Securing Java: Getting Down to Business with Mobile Code, 1999, NY: John Wiley & Sons, Sun s Java website:
Three Big Mechanisms
Java Security By Matt Payne, CISSP Derived from Wheeler s GPLed slides tinyurl.com/eyrjl CertConf.org Wednesday, August 10th, 10:30 AM Level: Beginner Slides are at MattPayne.org/talks Three Big Mechanisms
More informationThe security mechanisms of Java
The security mechanisms of Java Carlo U. Nicola, SGI FHNW With extracts from publications of : Sun developers' center documentation; David A. Wheeler, UC Berkeley; Klaus Ostermann, TH-Darmstadt. Topics
More informationJava Security. A Brief Introduction. Fred Long. The University of Wales, Aberystwyth UK. U.W. Aberystwyth CS25610/CHM5610. Java Security p.
Java Security A Brief Introduction Fred Long The University of Wales, Aberystwyth UK Java Security p.1/24 Some Books Java Security, by Scott Oaks, O Reilly, 2nd edition, 2001. Inside Java 2 Platform Security,
More informationIdentity-based Access Control
Identity-based Access Control The kind of access control familiar from operating systems like Unix or Windows based on user identities This model originated in closed organisations ( enterprises ) like
More informationOutline. V Computer Systems Organization II (Honors) (Introductory Operating Systems) Language-based Protection: Solution
Outline V22.0202-001 Computer Systems Organization II (Honors) (Introductory Operating Systems) Lecture 21 Language-Based Protection Security April 29, 2002 Announcements Lab 6 due back on May 6th Final
More informationJava Security HotJava to Netscape and Beyond
Java Security HotJava to Netscape and Beyond Drew Dean Ed Felten Dan Wallach Department of Computer Science Princeton University 4/5/96 Introduction Q Remote Code is Everywhere Q Java - A new language
More informationJava 2 Security. Dean Wette Senior Software Engineer Object Computing, Inc.
Java 2 Security Dean Wette Senior Software Engineer Object Computing, Inc. St. Louis Java Users Group, 11 Oct. 2001 University of MO-Rolla, Computer Science Colloquium, 1 Nov. 2001 Overview Java Platform
More informationJava Security. Lecture 10 March 5, 2013
Java Security Lecture 10 March 5, 2013 1 Java Technology Has been established as important for enterprise applications To ease platform independent application development Java Servlets, JavaServer Pages
More informationCMPSC 497: Java Security
CMPSC 497: Java Security Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University 1 Enforcement Mechanisms Static mechanisms
More informationSoftware Security. Case Study: Java 2 Security. Copyright of HeathWallace 2008
Software Security Case Study: Java 2 Security 1 Agenda About Us Objectives Introduction Foundations of Java 2 Security Tools and APIs Conclusion 2 About Us 3 About HeathWallace Dominant supplier of online
More informationApril 3 April 3. Has been established as important for enterprise applications
Java Security April 3 April 3 Java Technology Has been established as important for enterprise applications To ease platform independent application development Java Servlets, JavaServer Pages (JSP), Enterprise
More informationCourse 834 EC-Council Certified Secure Programmer Java (ECSP)
Course 834 EC-Council Certified Secure Programmer Java (ECSP) Duration: 3 days You Will Learn How To Apply Java security principles and secure coding practices Java Security Platform, Sandbox, JVM, Class
More informationWhen Java technology burst onto the Internet scene in 1995,
MOBILE CODE SECURITY SECURE JAVA CLASS LOADING The class loading mechanism, LI GONG Sun Microsystems central to Java, plays a key role in JDK 1.2 by enabling When Java technology burst onto the Internet
More informationSecurity for the Java. Going Beyond Standard. Otto Moerbeek. Chief Architect, Tryllian
Going Beyond Standard Security for the Java Platform Otto Moerbeek Chief Architect, Tryllian otto@tryllian.com 2 Outline Tryllian s platform Standard Java security model Tryllian s requirements Tryllian
More informationSecurity SYSTEM SOFTWARE 1
Security SYSTEM SOFTWARE 1 Security Introduction Class Loader Security Manager and Permissions Summary SYSTEM SOFTWARE 2 Security Mechanisms in Java Virtual machine erroneous array accesses forbidden casts
More informationArchitectures for secure portable executable content
Architectures for secure portable executable content Stefanos Gritzalis George Aggelis and Diomidis Spinellis The authors Stefanos Gritzalis is Assistant Professor in the Department of Informatics at the
More informationAddressing Security In The Eclipse Core Runtime (RCP)
Addressing Security In The Eclipse Core Runtime (RCP) What is needed & how do we get there? Larry Koved, Marco Pistoia, Ted Habeck IBM T. J. Watson Research Center Hawthorne, New York Eclipse RCP is intended
More informationThe Java Language Implementation
CS 242 2012 The Java Language Implementation Reading Chapter 13, sections 13.4 and 13.5 Optimizing Dynamically-Typed Object-Oriented Languages With Polymorphic Inline Caches, pages 1 5. Outline Java virtual
More informationDistributed Systems Security: Java, CORBA, and COM+ April L. Moreno September 14, Abstract
Distributed Systems Security: Java, CORBA, and COM+ April L. Moreno September 14, 2002 Abstract Security can have varying levels of difficulty for implementation. One factor in determining the difficulty
More informationCIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 4
CIS 551 / TCOM 401 Computer and Network Security Spring 2007 Lecture 4 Access Control Last time: Unix/Windows access control at the OS level. Access control matrix Reference monitor Today: Stack Inspection
More informationProtection Goals of Protection Principles of Protection principle of least privilege Domain Structure need to know principle
Protection Discuss the goals and principles of protection in a modern computer system Explain how protection domains combined with an access matrix are used to specify the resources a process may access
More informationJava Internals. Frank Yellin Tim Lindholm JavaSoft
Java Internals Frank Yellin Tim Lindholm JavaSoft About This Talk The JavaSoft implementation of the Java Virtual Machine (JDK 1.0.2) Some companies have tweaked our implementation Alternative implementations
More informationIntroduction to Java. Lecture 1 COP 3252 Summer May 16, 2017
Introduction to Java Lecture 1 COP 3252 Summer 2017 May 16, 2017 The Java Language Java is a programming language that evolved from C++ Both are object-oriented They both have much of the same syntax Began
More informationAlexander V. Konstantinou. Java Security. Columbia University. Fall 2002
Java Security Alexander V. Konstantinou Columbia University akonstan@cs.columbia.edu Fall 2002 1 The Java Platform (Review) Java Programming Language Java Libraries Java Virtual Machine (JVM) Java Source
More informationWeb Servers and Security
Web Servers and Security The Web is the most visible part of the net Two web servers Apache (open source) and Microsoft s IIS dominate the market (Apache has 70%; IIS has 20%) Both major servers have lots
More informationJava RMI. Algorithmen und Programmierung V Netzprogrammierung. Volker Roth. Wintersemester 2009/2010. Institut für Informatik Freie Universität Berlin
Java RMI Algorithmen und Programmierung V Netzprogrammierung Volker Roth Institut für Informatik Freie Universität Berlin Wintersemester 2009/2010 Overview 1. Factory design pattern 2. Codebases 3. Remote
More informationRunning Mistyped Code. Lecture 19: Java Security. Running Mistyped Code. Java Security Architecture. JavaVM. Reference Monitors
CS16: Program and Data Representation University of Virginia Computer Science Spring 006 David Evans Lecture 19: Java Security PS6 Submission: Only to be eligible for the Byte Code Wizard awards. If the
More informationSecurity Administrator guide
JADE TUTORIAL Security Administrator guide USAGE RESTRICTED ACCORDING TO LICENSE AGREEMENT. last update: 19-September-2002. JADE 2.61 Author: Giosuè Vitaglione (TILAB, formerly CSELT) Copyright (C) 2002
More informationWeb Servers and Security
Web Servers and Security The Web is the most visible part of the net Two web servers Apache (open source) and Microsoft s IIS dominate the market Apache has 49%; IIS has 36% (source: http://news.netcraft.com/archives/2008/09/30/
More informationSecurity Vulnerability Notice
Security Vulnerability Notice SE-2012-01-IBM-2 [Security vulnerabilities in Java SE, Issues 62-68] DISCLAIMER INFORMATION PROVIDED IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EXPRESS
More informationIntroduction to Java Programming
Introduction to Java Programming Lecture 1 CGS 3416 Spring 2017 1/9/2017 Main Components of a computer CPU - Central Processing Unit: The brain of the computer ISA - Instruction Set Architecture: the specific
More informationChapter 10 Web-based Information Systems
Prof. Dr.-Ing. Stefan Deßloch AG Heterogene Informationssysteme Geb. 36, Raum 329 Tel. 0631/205 3275 dessloch@informatik.uni-kl.de Chapter 10 Web-based Information Systems Role of the WWW for IS Initial
More informationOutline. Operating System Security CS 239 Computer Security February 23, Introduction. Server Machines Vs. General Purpose Machines
Outline Operating System Security CS 239 Computer Security February 23, 2004 Introduction Memory protection Interprocess communications protection File protection Page 1 Page 2 Introduction Why Is OS Security
More informationArchitecture. Steven M. Bellovin October 27,
Architecture Steven M. Bellovin October 27, 2015 1 Web Servers and Security The Web is the most visible part of the net Two web servers Apache (open source) and Microsoft s IIS dominate the market Apache
More informationToday. Instance Method Dispatch. Instance Method Dispatch. Instance Method Dispatch 11/29/11. today. last time
CS2110 Fall 2011 Lecture 25 Java program last time Java compiler Java bytecode (.class files) Compile for platform with JIT Interpret with JVM Under the Hood: The Java Virtual Machine, Part II 1 run native
More informationJava Security. Compiler. Compiler. Hardware. Interpreter. The virtual machine principle: Abstract Machine Code. Source Code
Java Security The virtual machine principle: Source Code Compiler Abstract Machine Code Abstract Machine Code Compiler Concrete Machine Code Input Hardware Input Interpreter Output 236 Java programs: definitions
More informationSelected Java Topics
Selected Java Topics Introduction Basic Types, Objects and Pointers Modifiers Abstract Classes and Interfaces Exceptions and Runtime Exceptions Static Variables and Static Methods Type Safe Constants Swings
More informationSecurity Policy File Best Practices For Your Java/JDBC Modules
Security Policy File Best Practices For Your Java/JDBC Modules Ilesh Garish, PMTS, Oracle Douglas Surber, CMTS, Oracle Kuassi Mensah, Director, PM, Oracle Oct 02, 2017 2 Safe Harbor Statement The following
More information1 OBJECT-ORIENTED PROGRAMMING 1
PREFACE xvii 1 OBJECT-ORIENTED PROGRAMMING 1 1.1 Object-Oriented and Procedural Programming 2 Top-Down Design and Procedural Programming, 3 Problems with Top-Down Design, 3 Classes and Objects, 4 Fields
More informationExploiting JRE - JRE Vulnerability: Analysis & Hunting
Exploiting JRE - JRE Vulnerability: Analysis & Hunting @Hitcon 2013 xye0x01@gmail.com nforest@live.cn About Us Xiao Lee(xye0x01),Sen Nie(nforest) SHANGHAI JIAO TONG UNIVERSITY Major in Computer Science
More informationModeling and Analyzing Security Requirements for Java
Modeling and Analyzing Security Requirements for Java A Major Qualifying Project Submitted to the Faculty of Worcester Polytechnic Institute In partial fulfilment of the requirements for the Degree of
More informationAgenda. Announcements. Extreme Java G Session 2 - Main Theme Java Tools and Software Engineering Techniques
Extreme Java G22.3033-007 Session 2 - Main Theme Java Tools and Software Engineering Techniques Dr. Jean-Claude Franchitti New York University Computer Science Department Courant Institute of Mathematical
More informationHigh-Level Language VMs
High-Level Language VMs Outline Motivation What is the need for HLL VMs? How are these different from System or Process VMs? Approach to HLL VMs Evolutionary history Pascal P-code Object oriented HLL VMs
More informationAtelier Java - J1. Marwan Burelle. EPITA Première Année Cycle Ingénieur.
marwan.burelle@lse.epita.fr http://wiki-prog.kh405.net Plan 1 2 Plan 3 4 Plan 1 2 3 4 A Bit of History JAVA was created in 1991 by James Gosling of SUN. The first public implementation (v1.0) in 1995.
More informationSaikat Banerjee Page 1
1. What s the advantage of using System.Text.StringBuilder over System.String? StringBuilder is more efficient in the cases, where a lot of manipulation is done to the text. Strings are immutable, so each
More informationSpecial Topics: Programming Languages
Lecture #23 0 V22.0490.001 Special Topics: Programming Languages B. Mishra New York University. Lecture # 23 Lecture #23 1 Slide 1 Java: History Spring 1990 April 1991: Naughton, Gosling and Sheridan (
More informationOracle Insurance Rules Palette
Oracle Insurance Rules Palette Security Guide Version 10.2.0.0 Document Part Number: E62439-01 August, 2015 Copyright 2009, 2015, Oracle and/or its affiliates. All rights reserved. Trademark Notice Oracle
More informationJava for Programmers Course (equivalent to SL 275) 36 Contact Hours
Java for Programmers Course (equivalent to SL 275) 36 Contact Hours Course Overview This course teaches programmers the skills necessary to create Java programming system applications and satisfies the
More informationPlatform SDK Deployment Guide. Platform SDK 8.1.2
Platform SDK Deployment Guide Platform SDK 8.1.2 1/1/2018 Table of Contents Overview 3 New in this Release 4 Planning Your Platform SDK Deployment 6 Installing Platform SDK 8 Verifying Deployment 10 Overview
More informationHow are classes loaded into the Java Virtual Machine (JVM)? from the local file system (CLASSPATH). by an instance of ClassLoader
36 ClassLoader How are classes loaded into the Java Virtual Machine (JVM)? from the local file system (CLASSPATH). by an instance of ClassLoader... and when? - When they are needed the first time. class
More informationSELF-STUDY. Glossary
SELF-STUDY 231 Glossary HTML (Hyper Text Markup Language - the language used to code web pages) tags used to embed an applet. abstract A class or method that is incompletely defined,
More informationJohn Heimann Director, Security Product Management Oracle Corporation
John Heimann Director, Security Product Management Oracle Corporation Oracle9i Application Server v2 Security What s an Application Server? Development and deployment environment Web(HTML,XML,SOAP) J2EE
More informationLabels and Information Flow
Labels and Information Flow Robert Soulé March 21, 2007 Problem Motivation and History The military cares about information flow Everyone can read Unclassified Few can read Top Secret Problem Motivation
More informationAccess Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger.
Access Control CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ Access Control Describe the permissions available to computing processes
More informatione-commerce Study Guide Test 2. Security Chapter 10
e-commerce Study Guide Test 2. Security Chapter 10 True/False Indicate whether the sentence or statement is true or false. 1. Necessity refers to preventing data delays or denials (removal) within the
More informationSecurity Philosophy. Humans have difficulty understanding risk
Android Security Security Philosophy Humans have difficulty understanding risk Safer to assume that Most developers do not understand security Most users do not understand security Security philosophy
More informationThe Java Technical Details. ICW Lecture 3 Tom Chothia
The Java Technical Details ICW Lecture 3 Tom Chothia Reminder of Last Time: Your programs defines Classes. Each class defines Objects. An Object is defined as having a number of Fields that store data......and
More informationSecuring Apache Tomcat. AppSec DC November The OWASP Foundation
Securing Apache Tomcat AppSec DC November 2009 Mark Thomas Senior Software Engineer & Consultant SpringSource mark.thomas@springsource.com +44 (0) 2380 111500 Copyright The Foundation Permission is granted
More informationC and C++ Secure Coding 4-day course. Syllabus
C and C++ Secure Coding 4-day course Syllabus C and C++ Secure Coding 4-Day Course Course description Secure Programming is the last line of defense against attacks targeted toward our systems. This course
More informationAgenda. CSE P 501 Compilers. Java Implementation Overview. JVM Architecture. JVM Runtime Data Areas (1) JVM Data Types. CSE P 501 Su04 T-1
Agenda CSE P 501 Compilers Java Implementation JVMs, JITs &c Hal Perkins Summer 2004 Java virtual machine architecture.class files Class loading Execution engines Interpreters & JITs various strategies
More informationLearning objectives. The Java Environment. Java timeline (cont d) Java timeline. Understand the basic features of Java
Learning objectives The Java Environment Understand the basic features of Java What are portability and robustness? Understand the concepts of bytecode and interpreter What is the JVM? Learn few coding
More informationExam Name: IBM Certified System Administrator - WebSphere Application Server Network Deployment V7.0
Vendor: IBM Exam Code: 000-377 Exam Name: IBM Certified System Administrator - WebSphere Application Server Network Deployment V7.0 Version: Demo QUESTION 1 An administrator would like to use the Centralized
More informationSharing Secrets using Encryption Facility - Handson
Sharing Secrets using Encryption Facility - Handson Lab Steven R. Hart IBM March 12, 2014 Session Number 14963 Encryption Facility for z/os Encryption Facility for z/os is a host based software solution
More informationBypassing Browser Memory Protections
Bypassing Browser Memory Protections Network Security Instructor: Dr. Shishir Nagaraja September 10, 2011. 1 Introduction to the topic A number of memory protection mechanisms like GS, SafeSEH, DEP and
More information1 About Web Security. What is application security? So what can happen? see [?]
1 About Web Security What is application security? see [?] So what can happen? 1 taken from [?] first half of 2013 Let s focus on application security risks Risk = vulnerability + impact New App: http://www-03.ibm.com/security/xforce/xfisi
More informationPace University. Fundamental Concepts of CS121 1
Pace University Fundamental Concepts of CS121 1 Dr. Lixin Tao http://csis.pace.edu/~lixin Computer Science Department Pace University October 12, 2005 This document complements my tutorial Introduction
More informationMQ Jumping... Or, move to the front of the queue, pass go and collect 200
MQ Jumping.... Or, move to the front of the queue, pass go and collect 200 Martyn Ruks DEFCON 15 2007-08-03 One Year Ago Last year I talked about IBM Networking attacks and said I was going to continue
More informationCSE P 501 Compilers. Java Implementation JVMs, JITs &c Hal Perkins Winter /11/ Hal Perkins & UW CSE V-1
CSE P 501 Compilers Java Implementation JVMs, JITs &c Hal Perkins Winter 2008 3/11/2008 2002-08 Hal Perkins & UW CSE V-1 Agenda Java virtual machine architecture.class files Class loading Execution engines
More informationProgramming Securely II
Programming Securely II Computer Security Lecture 12 David Aspinall School of Informatics University of Edinburgh 6th March 2014 Outline Web security issues Java Security: Coding and Models Trusting code
More informationAPI Knowledge Coding Guide Version 7.2
API Knowledge Coding Guide Version 7.2 You will be presented with documentation blocks extracted from API reference documentation (Javadocs and the like). For each block, you will be also presented with
More informationInterpreting Languages for the Java Platform
Interpreting Languages for the Java Platform http://www2.hursley.ibm.com/netrexx/ Mike Cowlishaw IBM Fellow mfc@uk.ibm.com netrexxi Overview A (very) brief introduction to NetRexx Demonstration -- compiling
More informationInstructions 1 Elevation of Privilege Instructions
Instructions 1 Elevation of Privilege Instructions Draw a diagram of the system you want to threat model before you deal the cards. Deal the deck to 3-6 players. Play starts with the 3 of Tampering. Play
More informationAccessing the Ministry Secure File Delivery Service (SFDS)
Ministry of Health Services Accessing the Ministry Secure File Delivery Service (SFDS) A Guide for New Users To SFDS And Digital Certificate Installation May 2004 Preface Purpose Audience Structure This
More informationIntroduction to Visual Basic and Visual C++ Introduction to Java. JDK Editions. Overview. Lesson 13. Overview
Introduction to Visual Basic and Visual C++ Introduction to Java Lesson 13 Overview I154-1-A A @ Peter Lo 2010 1 I154-1-A A @ Peter Lo 2010 2 Overview JDK Editions Before you can write and run the simple
More informationJava Security: a Ten-Year Retrospective. Li Gong Mozilla Online Ltd. December 10, 2009
Java Security: a Ten-Year Retrospective Li Gong Mozilla Online Ltd. lgong@mozilla.com www.mozillaonline.com December 10, 2009 300~ Pages of Meeting Notes 1000~ Meetings in 30 months Why Security Technologies
More informationInstructions 1. Elevation of Privilege Instructions. Draw a diagram of the system you want to threat model before you deal the cards.
Instructions 1 Elevation of Privilege Instructions Draw a diagram of the system you want to threat model before you deal the cards. Deal the deck to 3 6 players. Play starts with the 3 of Tampering. Play
More informationCS 231 Data Structures and Algorithms, Fall 2016
CS 231 Data Structures and Algorithms, Fall 2016 Dr. Bruce A. Maxwell Department of Computer Science Colby College Course Description Focuses on the common structures used to store data and the standard
More informationKAIST Graduate School of Information Security SAR(Security Analysis Report)
Document # CSRC-12-03-011 Title Java Applet Vulnerability Analysis (CVE-2012-5076) Type Attack Trend Technical Analysis Specialty Analysis Data November 15, 2012 Modified November 19, 2012 Author KAIST
More informationInternet Application Developer
Internet Application Developer SUN-Java Programmer Certification Building a Web Presence with XHTML & XML 5 days or 12 evenings $2,199 CBIT 081 J A V A P R O G R A M M E R Fundamentals of Java and Object
More informationAdvanced Object-Oriented Programming Introduction to OOP and Java
Advanced Object-Oriented Programming Introduction to OOP and Java Dr. Kulwadee Somboonviwat International College, KMITL kskulwad@kmitl.ac.th Course Objectives Solidify object-oriented programming skills
More informationSecurity Vulnerability Notice
Security Vulnerability Notice SE-2012-01-ORACLE-11 [Security vulnerabilities in Java SE, Issues 56-60] DISCLAIMER INFORMATION PROVIDED IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
More informationZhifu Pei CSCI5448 Spring 2011 Prof. Kenneth M. Anderson
Zhifu Pei CSCI5448 Spring 2011 Prof. Kenneth M. Anderson Introduction History, Characteristics of Java language Java Language Basics Data types, Variables, Operators and Expressions Anatomy of a Java Program
More informationJava WebStart, Applets & RMI
Java WebStart, Applets & RMI 11-13-2013 Java WebStart & Applets RMI Read: Java Web Start Tutorial Doing More with Rich Internet Applications Java Web Start guide Exam#2 is scheduled for Tues., Nov. 19,
More informationArchitecture. Steven M. Bellovin October 31,
Architecture Steven M. Bellovin October 31, 2016 1 Web Servers and Security The Web is the most visible part of the net Two web servers Apache (open source) and Microsoft s IIS dominate the market Apache
More informationVII. Corente Services SSL Client
VII. Corente Services SSL Client Corente Release 9.1 Manual 9.1.1 Copyright 2014, Oracle and/or its affiliates. All rights reserved. Table of Contents Preface... 5 I. Introduction... 6 Chapter 1. Requirements...
More informationCSE543 - Introduction to Computer and Network Security. Module: Operating System Security
CSE543 - Introduction to Computer and Network Security Module: Operating System Security Professor Trent Jaeger 1 OS Security An secure OS should provide (at least) the following mechanisms Memory protection
More informationOrbix Release Notes
Orbix 6.3.8 Release Notes Micro Focus The Lawn 22-30 Old Bath Road Newbury, Berkshire RG14 1QN UK http://www.microfocus.com Copyright Micro Focus 2015. All rights reserved. MICRO FOCUS, the Micro Focus
More informationIntroduction. Overview of the Course on Java. Overview of Part 1 of the Course
Introduction Michael B. Spring Department of Information Science and Telecommunications University of Pittsburgh spring@imap.pitt.edu http://www.sis.pitt.edu /~spring Overview of the Course on Java Part
More informationJava Programming Language Mr.Rungrote Phonkam
2 Java Programming Language Mr.Rungrote Phonkam rungrote@it.kmitl.ac.th Contents 1. Intro to Java. 2. Java Platform 3. Java Language 4. JDK 5. Programming Steps 6. Visual Programming 7. Basic Programming
More informationThis is a known issue (SVA-700) that will be resolved in a future release IMPORTANT NOTE CONCERNING A VBASE RESTORE ISSUE
SureView Analytics 6.1.1 Release Notes ================================= --------- IMPORTANT NOTE REGARDING DOCUMENTATION --------- The Installation guides, Quick Start Guide, and Help for this release
More informationBEA AquaLogic. Enterprise Security. Glossary
BEA AquaLogic Enterprise Security Glossary Verson: 3.0 Revised: December 2007 Contents Glossary 1 AAA 1 access control 1 access decision 1 accountability 1 adjudication provider 2 administration console
More informationThe NetRexx Interpreter
The NetRexx Interpreter http://www2.hursley.ibm.com/netrexx/ RexxLA / WarpTech -- 26 May 2000 Mike Cowlishaw IBM Fellow mfc@uk.ibm.com netrexxi Overview Introduction to NetRexx Demo. -- compiling and interpreting
More informationELEC 377 Operating Systems. Week 1 Class 2
Operating Systems Week 1 Class 2 Labs vs. Assignments The only work to turn in are the labs. In some of the handouts I refer to the labs as assignments. There are no assignments separate from the labs.
More informationChapter 1 Introduction to Java
Chapter 1 Introduction to Java 1 Why Java? The answer is that Java enables users to develop and deploy applications on the Internet for servers, desktop computers, and small hand-held devices. The future
More informationmetaxa and the Future of Reflection
metaxa and the Future of Reflection Michael Golm, Jürgen Kleinöder University of Erlangen-Nürnberg Dept. of Computer Science 4 (Operating Systems) Martensstr. 1, D-91058 Erlangen, Germany {golm, kleinoeder}@informatik.uni-erlangen.de
More informationChapter 1 Introduction to Computers, Programs, and Java. What is a Computer? A Bit of History
Chapter 1 Introduction to Computers, Programs, and Java CS170 Introduction to Computer Science 1 What is a Computer? A machine that manipulates data according to a list of instructions Consists of hardware
More informationPublic Key Infrastructures
Public Key Infrastructures How to store private keys? Chapter 6 Private Keys Cryptography and Computeralgebra Vangelis Karatsiolis Alexander Wiesmaier 1 2 Personal Security Environment (PSE) Realisation
More informationSEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security
SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security Consider 2. Based on DNS, identified the IP address of www.cuhk.edu.hk is 137.189.11.73. 1. Go to http://www.cuhk.edu.hk 3. Forward the
More informationIntroduction to Java
Introduction to Java Module 1: Getting started, Java Basics 22/01/2010 Prepared by Chris Panayiotou for EPL 233 1 Lab Objectives o Objective: Learn how to write, compile and execute HelloWorld.java Learn
More informationAN ISO 9001:2008 CERTIFIED COMPANY ADVANCED. Java TRAINING.
AN ISO 9001:2008 CERTIFIED COMPANY ADVANCED Java TRAINING www.webliquids.com ABOUT US Who we are: WebLiquids is an ISO (9001:2008), Google, Microsoft Certified Advanced Web Educational Training Organisation.
More information